Feature Article: Vendor Management for Healthcare

by Bill Jenkins, Senior Security Engineer, Coalfire

We’ve all seen the commercials on TV about various discount auto insurance policies.  In 30 minutes or less you can have a nice basic policy at a minimum cost.  Of course there’s the other side of the story as other commercials remind us.  Your policy may meet the basic needs, but the quality of support and the speed of response may be lacking.  In other words, you get what you pay for.

Covered entities are required to have agreements in place with all business associates.  But who qualifies as a business associate?  According to the Department of Health and Human Services (HHS), a business associate (BA) is "a person or entity that performs…activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity". http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html

So basically any vendor, service provider, or third party doing work for a healthcare provider could be a BA.

The requirements for a Business Associate agreement (contract) between a covered entity (CE) and a BA are relatively straightforward and the HHS provides sample wording of the terms- http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Basically, the BA promises to properly protect all Protected Health Information (PHI), to allow the CE to inspect their procedures and practices, and to report any suspect exposure of sensitive information.  It’s fairly simple and many such agreements have been put into place with little additional thought; sort of like buying the minimum inexpensive car insurance.

Once the agreement is in place, what happens next?  In most cases, nothing, until there is a breach, an audit, or something else happens.  According to the terms of the agreement, the CE is supposed be able to inspect the practices of the BA.  But that takes time and effort, so often that is not done.  Again you get what you pay for.

With the introduction of HIPAA/HITECH, the stakes for CEs and their BAs have gone up considerably versus what it used to be.  First the definition of, and the requirements for, a BA were broadened beyond the one described above.  A Breach Notification Rule was added that puts the responsibility, fines, and publicity associated with any breach on the CE even if it was the result of the actions of a BA.  At a time when more and more companies are outsourcing to manage costs, the liability of such transfers remains squarely with the CE.

To meet these new challenges, Coalfire strongly recommends active Vendor Management in addition to passive Business Associate agreements.  But what is Vendor Management?  Vendor Management (VM) involves actively looking at your BAs as part of your enterprise and not some black box that just provides a product or service.  VM means that you need to extend your security and privacy program to your BAs so they are at least as secure as you are.

Activities and options to be considered:

  • Add a section to the BA agreement stating that the vendor will adopt all of the CEs policies and practices unless specifically otherwise agreed to.  Also add this as a requirement to any solicitation for services.

  • Ensure the BAs access controls are adequate and complement your own controls.

  • Ensure the BAs HR policies, practices, and background checks are consistent with yours.

  • Require the BAs to participate in breach and incident response exercises and drills.

  • Include penalties for delayed identification and notification of data exposures.

  • Insist on the right of on-site inspection or an annual independent assessment to verify actual operational practice.

As part of an integrated security and compliance practice, the implementation of Vendor Management (or third-party management) can be found in most security and IT frameworks, so companies can gain greater benefit by making this a universal program and not one focused only on HIPAA/HITECH.  For example, additional guidance can be found in CoBIT, ISO 27002, and NIST SP 800-53. These efforts may seem like a lot, but as with all controls, they should be tempered and tailored to meet the specific organization’s business and risks. Vendor Management requires an investment of time and effort, but you get what you pay for.